(19) 



■ 



(12) 



(43) Date of publication: 

17.01.2001 Bulletin 2001/03 

(21) Application number: 00305405.3 

(22) Date of filing: 27.06.2000 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets (11) EP 1 069 498 A2 

EUROPEAN PATENT APPLICATION 

(51) Int.ci7: G06F7/72 



(84) Designated Contracting States: 


(72) Inventor: Futa, YuichI 


AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Osaka>sh], Osaka^fu 534-0002 (JP) 


MC NL PT SE 




Designated Extension States: 


(74) Representative: 


ALLTLVMKRO SI 


Crawford, Andrew Birkby et al 




A.A. Thornton & Co. 


(30) Priority: 16.07.1999 J P 20305599 


235 High Holborn 


12.05.2000 JP 2000140886 


London WC1V 7LE (GB) 


(71) Applicant: 




Matsushita Electric Industrial Co., Ltd. 




Kadoma-shl, Osaka 571-8501 (JP) 





(54) Apparatus for solving system of equations on finite field and apparatus for inverting element 
of extension field 



(57) An equation transforming unit triangular trans- 
forms a matrix M and a vector v to generate a matrix M' 
and a vector v' for a system of linear equations M'x=v' 
in n unknowns that has an equivalence relation wrth a 
system of linear equations Mx=v in n unknowns. The 
triangular transformation is such that the matrix M is 
transformed into an upper triangular matrix without the 
diagonal elements of the matrix M being changed to 1. 
An inverting unit calculates the inverses of the diagonal 
elements of the matrix M\ An equation computing unit 
finds the solutions of the system of linear equations 
M'x=v' using the matrix M', the vector v', and the calcu- 
lated inverses of the diagonal elements. An inverse 
computing unit computes the inverse / of an element y 
in GF(q) which is an extension field of a finite field 
GF(p), based on the solutions found by the equation 
computing unit. 



C 



HQ. 3 

tRIAKGULARTRANSTORMAT I ON 

i MAHaX M AND VECTOR V READH ^^ 



111 



112 



^113 



J ih COLUMN FROM Jth TO nth ROW IN M 
SEARCHED FOR NONZERO ELEMENT, AND 
ROW NUMBER OF FIRST NONZERO 
ELEMENT SET ASk 



S114 




YES 



^SU5 



ItahROWANDJlhBOWgnERCHANGEDIHY I 



..S117 
^118 



aik-^ajjxalk- ayxajk 

FORj+l^k^n 
hi ^xbi - mjxbi 




Printed by Xeraoc (UK) Business Services 
2.16.7 <HR^.6 



EP 1 069 498 A2 

Description 

[0001] This application is based on applications Nos. 11>203055 and 2000-140886 filed in Japan, the contents of 
which are hereby incorporated by reference. 

5 

BACKGROUND OF THE INVENTION 
Field of the Invention 

10 [0002] The present invention relates to cryptographic and en'or correction techniques for information security, and 
in particular relates to computation techniques which use extension fields and systems of equations. 

Description of the Prior Art 

75 [0003] Secret communication or digital signature techniques have increasingly been used in data communication 
in recent years. 

[0004] Secret communication techniques allow communication to be perfomied without the communicated content 
being revealed to third parties. Digital signature techniques, .meanwhile, enable the recipient to verify whether the com- 
municated content is valid or whether the information is from the stated sender. Such secret communication or digital 
20 signature techniques use a cryptosystem called public key cryptography. Public key cryptography provides a convenient 
method for managing the separate encryption keys of many users, and so has become a fundamental technique for 
performing communication with a large number of users. 

[0005] In the public key cryptography, different keys are used for encryption and decryption, with the decryption key 
being kept secret and the encryption key being made public. Here, one of the founding principles for the security of pub- 
2S lie key cryptography is the so-called discrete logarithm problem. Representative examples of the discrete logarithm 
problem are problenns based on finite fields and problems based on elliptic curves. Such problems are described In 
detail in Neai Koblitz (1987), A Course in Number Theory and Cryptography, Springer- Verlag. 

(Elliptic Curve Discrete Logarithm Problem) 

30 

[0006] The elliptic curve discrete logarithm problem is the following. 

[0007] Let E be an elliptic curve defined over a finite field GF(q) ( q=p" , p a prime, n a positive integer), with a point 
G on the elliptic curve E, given when the order of E is divisible by a large prime, being set as a base point. This being 
so, the problem is to find an integer x such that 

35 

Y=x*G 

where V is a given point on E. if such an integer x exists. 
[0008] In this specification, the operator * represents elliptk: curve exponentiation, so that x*G means G is added 
40 to itself X times on E. Also, GF(q) is an extension field of a finite field GF(p). For details about extension fields, see T. 
Okamoto & H. Yamamoto (1 997), Modern Encryption, Mathematics of Information Sciences Series, Sangyo Tosho, 
pp.26-28. 

(Prior Art 1 : EIGamal Signature Scheme Which Uses the Elliptic Curve Discrete Logarithm Problem) 

45 

[0009] The EIGamal signature scheme using the elliptic curve discrete logarithm problem is described below with 
reference to Fig. 9. 

[0010] In the figure, a device 310 used by a user A (hereafter, "user A 310"), a management center 320, and a 
device 330 used by a user B (hereafter, "user B 330") are connected via a network. 
50 [0011] Let p be a prime, q=p" , /? be a positive integer, and E be an elliptic curve over a finite field GF(q), with G 
being a base point of E and r being the order of G. Whk:h is to say, r is the smallest positive integer that satisfies 

r'G=0 

55 where 0 is the zero element In the additive group on the elliptic curve E. 
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(1) Public Key Generation by the Management Center 320 

[001 2] First, the management center 320 generates a public Icey of the user A 31 0 using the user A's secret key 
X4 which has been informed beforehand, according to the equation 

(S1,S2). 

[0013] The management center 320 announces the finite field GF(q), the elliptic curve E, and the base point G as 
10 system parameters, and reveals the public key of the user A 31 0 to the user B 330 (S3, S4). 

(2) Signature Generation by the User A 310 

[0014] The user A 31 0 generates a random number k (S5), calculates 

15 

(56) , and finds s satisfying 

20 SKk=m+r j^x ^ mod r 

(57) where m is a message to be sent from the user A 310 to the user B 330. 

[0015] The user A 31 0 sends the message m and the signature (R^^s) to the user B 330 (S8). 

25 (3) Signature Verification by the User B 330 

[0016] The user B 330 verifies the authenticity of the user A 31 0 by judging whether 

30 

is true (89). 
[0017] This equation is derived from 

1 =[((m+r^XjJ/kp<k]*G 
35 =(m+rj^x^)*G 

=m'G+(r^x^*G 
=m*G+r/Y^ 

40 [0018] In this EIGamal digital signature scheme using the elliptic curve discrete logarithm problem, elliptic curve 
exponentiation is repeatedly performed to generate the public key and the signature and to verify the signature. 
[0019] For details on elliptic curve exponentiation, see "Efficient Elliptic Curve Exponentiation" in Miyaji, Ono & 
Cohen (1997). Advances In Cryptology-Proceedings of tCICS'97, Lecture Notes in Computer Science, Springer- Ver- 
lag, pp.282~290 (hereafter "document 1 "). 

45 [0020] Let an elliptic curve be defined by an equation of the fomn 

with some point P on the elliptic curve being represented by 2-tuple coordinates (x^.y-f) called affme coordinates. 
50 [0021 ] Elliptic curve exponentiation in the 2-tuple coordinate is known to involve inverse operations on the finite field 
GF(q). 

[0022] Document 1 makes brief mention of a 3-tuple coordinate called projecth/e coordinate. 2-tuple coordinates 
can be transformed into corresponding 3-tuple coordinates as shown by 

55 t (xvyi)-^(^vyvV 

[0023] Elliptk: curve exponentiation in the 3-tuple coordinate involves no inverse operations on the finrte field GF(q). 
Since inverting a finite field element generally takes considerable computation time, the 3-tuple coordinate is often used 
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in elliptic curve exponentiation. 

[0024] However, when transfomrilng 3-tuple coordinates into corresponding 2-tuple coordinates as shown by 

(KY,Z)^(X/Z,Y/Z) 

5 

inversion on the finite field GF(q) is necessary. 
[0025] in step S6 in Fig. 9, for instance, after 2-tuple coordinates are transformed into 34uple coordinates, elliptic 
curve exponentiation is performed on the 3-tuple coordinates, and the resulting 3-tuple coordinates are transformed into 
corresponding 2-tuple coordinates. Inversion is needed in this transfomrtation of the 3-tuple coordinates to the 2-tuple 
10 coordinates. 

(Prior Art 2: Inversion in an Extension Field) 

[0026] A conventional Inverse operation on an extension field GF(q) ( q=p", p a prime, n a positive Integer) is per- 
15 formed in the following way. 

[0027] For simplicity's sake, a generator polynomial of the extension field GF(q) is set as f(g)=g"'^ whose root is 
a. and an element of GF(q) to be inputted in the generator polynomial is set as 

n-l 

20 

(1)Step1 

[0028] Based on the element x of GF(q), a system of equations for yy (7=0, 1„.,,n-1) 



35 



^n^tYo +^fl-2yi +-«n-3y2+ * * * -^XoYn-l^O 



40 is formed. 

(2) Step 2 

[0029] The solutions yj^ (A=0, 1,,..,n-1) of the system of equations are sought 

45 

(3) Step 3 

[0030] From the solutions yjt (k=0, 1,,.,,n- 1), the inverse 

is calculated. Hence the inverse of the element x in the extension field GF(q) is obtained. 
[0031] The validity of this inverse operation is shown below. 
[0032] If the inverse / and the element x satisfy the relationship 

55 

xl=1 mod f(g) 

then 
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+XjO^ (yo+yiar+ • * • -t-ya-iC^'^) 

+Xn-i<^'' (yo+yi<^-' '+yn.i<^'') 

and also 

a"^modf(g) 

[0033] AccorcRngly, 

xi=Xg (yo+yioe+ ' • ' +y„.ioP'^) 
(yoOi+yi<^+ ' ' '+yn-iP> 
+xj (yo<^+yiC^+ ' ' • +yr,-i<^0> 

which can be rearranged in ascending order of power of a into 

Xl-Xoyo+^xx„.,xy^ + . . •+;0X,y„., 

+c/ (x^yo+^iyi* • ' • +/?x^„.,; 



[0034] From this equation and the relationship xl=1, the system of equations in step 1 is derived. 

[0035] Therefore, calculating an inverse in the extension field GF(q) is equivalent to solving a system of equations 

on tlie basic field GF^). 

[0036] Though the foregoing example uses the generator polynomial of the form 9"-^ for simpHci^s sake, a system 
of equations can be formed by the same procedure for a generator polynomial of ordinary font). 
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(Prior Art 3: Solutfon of a System of Equations on the basic field GF(p)) 

[0037] A conventional method for solving a system of equations on the basic field GF(p) is described below. This 
method is called Gaussian elimination. For details on Gaussian elimination, see K. Mizugami (1985), Mathematical Cal- 
cutations by Computers, introduction to Programming Series, Asakura Shoten, pp.76~82 (hereafter "document 2"). 
[0038] A system of equations for Xff (l<=0, 1,2,...,n'1) 



10 



20 



is solved by Gaussian elimination in the following manner. 
(Step 1) 

[0039] A matrix and a vector v are given respectively as 



30 



-a.A 



^11 ^12 "in 
^21 ^22 "' ^2a 



^nl ^n2 * ' ^nn 



V- 



[0040] Meanwhile, a vector X is given as 



50 
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[0041] Then the above system of equations can be simply written as 
15 MX=v 



30 



[0042] The matrix M and the vector v are triangular transfonned so as to put the matrix M into upper triangular 
form, as a resuft of which a matrix M' and a vector v' are generated. Here, the triangular transformation is such a trans- 
formation that changes all elements beneath the diagonal elements of a matrix to 0, and such a transformed matrix is 
called an upper triangular matrix. 

[0043] The procedure of this conventional triangular transformation is explained below with reference to Fig. 1 0. 
[0044] First, counter j is set at 1 (S21). Next, the inverse /y of a^- is computed (522), 1 is assigned to a^^ (S23), and 
aji^ajfp<tj and bj=bjxlj are seX1orj+1^k^ (S24). Then counter / Is set at /+/ (S25). 

[0045] Following this, 0 is assigned to a/y (326), a ff^=a g^-a jjxa is setfory+r</c^/7 (S27), and also bf=bf-a~xbj is 
set (S28). Then it is judged whether i=n (S29). If i^n, counter / is incremented by 1 (S31) and the procedure returns to 
step S26. If i=n , it is judged whether j=n (S30). If p^n, counter j is incremented by 1 and the procedure returns to step 

S22. If j=n , the procedure ends. 

[0046] As a result, the matrix M' and the vector v' are obtained. The matrix M' Is a matrix whose diagonal elements 
are all 1 and whose elements beneath the diagonal elements are all 0, 

[0047] The system of equations M'X=v' and the system of equations MX=v have an equivalence relation. 
[0048] Let the matrix M' and the vector v* be written respectively as 



<=21 ^22 "■ ^2n 



M 



(Step 2) 

[0049] The system of equations Af'X=v' is solved using the generated matrix M* and vector v*. In the following way. 
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[0050] The values n-l, ... , 1, 0 are set one by one in counter c in this order. For counter c, 
5 Is calculated when c=i>1,an6 

n-1 
hc+1 

10 

is calculated when 
(Concrete Example) 

75 

[0051] A concrete example of applying the prior art 3 is presented below. 

[0052] Note that this example is provided here only for facilitating the understanding of the triangular transforma- 
tion, and is not an example of practical use in cryptographic communication or digital signature systems. 
[0053] When a prime p=3U a generator polynomial f(g)=g^-2, and an element x=5a'^-h29a^+6a^-h19a+17 of 
20 GF(q) are given, the calculations 



25 



-29a ^ -h6a ^+19a^-h17a-h5x2 



=6a ^+ 19a ^-h17a ^+ 10a+29x2 



xxa ^=6a^-h19a ^-i- 1 7a ^+ 10a ^+27a 
=19a^'h17a ^+10a ^+27a+e>c2 



xxa'^=19a^^17a'^+10a ^+27a ^+ 12a 

35 



=17a^+10a^'h27a^'h12a+19>^2 



lead to a system of equations shown in Fig. 1 1 (a), where a coefficient matrix 301 consists of 5 rows and 5 col- 
umns and a constant vector 302 consists of 5 elements. 
[0054] In the system of equations in Rg. 1 1 (a), a linear equation 

40 

is called a pivotal equation that serves as the pivot of transformation, and the other linear equations are called 
object equations that are to be transformed. 
45 [0055] Rrst, the inverse operation 

1/17 mod 31 -11 



is performed, and then 



10x11 mod 31 =17 
27x11 mod 31 =18 
12x11 mod 31 =r8 
7x11 mod 31 =15 
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1x11 mod31 =11 

are calculated. As a result, the system of equations is transformed as shown in Rg. 1 1 (b), where the element in 
the first column and row has become 7 in a'coefficlent matrix 31 1 . The elements enclosed with the boxes in the coeffi- 
5 cient matrix 31 1 and constant vector 312 in Fig. 1 1 (b) are those which have changed from the coeffrcient matrix 301 
and constant vector 302 in Fig. 1 1 (a). The same goes for the rest of Fig. 1 1 . 

[0056] IHere, the above inverse operation 1/1 7 mod 31 =1 1 1s can'ied out by first seeking a which satisfies 

ax17+tfx31=1 

10 

by means of the extended GCD (Greatest Common Divisor), and then setting a as the inversion result 
[0057] In general, the extended GCD takes considerable computational complexity, as it involves repeated multipli- 
cations and additions. For details on the tended GCD, see H. Cohen (1996) "A Course In Computational Algebrak: 
Number Theory" in Graduate Texts in Mathematics 138, Springer-Verlag, pp.16~19. • 
15 [0058] Next, 

17-17x19=4 mod 31 
10-18x19=9 mod 31 

20 

27-8x19=30 mod 31 
12-15x19=6 mod 31 

25 0-1 1x 19=8 mod 31 

are calculated to convert the element in the first column and second row in the coefficient matrix 311 to O, and 
in a like manner the elements in the first column and third to fifth rows in the coefficient matrix 31 1 are converted to 0, 
thereby transforming the coefficient matrix 31 1 in Pig. 1 1 (b) into a coefficient matrix 321 shown in Fig. 1 1 (c). The con- 
30 stent vector 312 is also transformed into a constant vector 322, as a result of which a system of equations shown in Rg. 
1 1 (c) is obtained. 

[0059] Next, the coefficient matrix 321 is transformed into a coefficient matrix 331 so that the element in the second 
column and row becomes /. and the constant vector 322 is transformed into a constant vector 332. Hence a system of 
equations shown in Rg. 1 1 (d) Is obtained. Further, the coefficient matrix 331 is transformed into a coefficient matrix 341 
35 so that the elements in the second column and third to fifth rows become 0, and the constant vector 332 is transfomned 
into a constant vector 342. Hence a system of equations shown in Rg. 1 1 (e) Is otjtained. 

[0060] Likewise, the element in the third column and row is converted to 7 in a coefficient matrix 351 in Fig. 1 1 (f), 
and the elements In the third column and fourth to fifth rows are converted to 0 in a coefficient matrix 361 in Fig. 1 1 (g). 
After this, the element in the fourth column and row is converted to 7 in a coefficient matrix 371 in Fig. 1 1 (h), and the 
40 element in the fourth column and fifth row is converted to 0 in a coefficient matrix 381 in Fig. 1 1 (i). Lastly, the element 
In the fifth column and row is converted to 1 in a coefficient matrix 391 in Fig. 1 1 (j). 
[0061 ] Thus, the coefficient matrix 301 is transfomried into the upper triangular matrix 391 . 
[0062] Following this, 

45 y4=29 

y 3=15-21x29 
=26 mod 31 

^ yg=1 1-4x26-28x29 

=25 mod 31 

y ^=2-10x25-23x26-17x29 
55 I =25 mod 31 
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y 0=11-17x25- 18x25-8x26' 15x29 
=12 mod 31 



are computed. 
(Computational Complexity) 

[0063] The total computational complexity of the prior art 3 Is evaluated below. Here, computational complexity of 
one multiplication on a basic field is measured as IMul and computational complexity of one inversion on the basic field 
is measured as Unv, 

[0064] In step 1 in the prior art 3, computational complexity for one value of counter / can be broken down as fol- 
lows. 

(a) Step S22 involves one inversion, so that computational complexity is llnv. 

(b) Step S24 Involves ((n-g+1)-h1)+1)=(n'J+1} mumpfications, so that computational complexity is (n- i+1)Mul, 

(c) For one value of counter /, step S27 Involves (n-O+V+l) multiplications and so computational complexity is (n- 
j)Mul (c1), and step S28 involves one multiplication and so computational complexity is IMul (c2). Since counter / 
changes from j+1 to n, (c1) and (c2) are repeated (n-(l+1)+1)=(n'j) times, which makes the computational com- 
plexity of for all values of counter c at ((n-j)(n-j-h1))Muf. 

[0065] Summing (a), (b), and (c) together results in computational complexity of ((n-j+1)(n'j+1))Mut-h1lnv, 
[0066] Since counter j changes from 1 to n, the total computational complexity of step 1 is 

n 

£ (((fH+1}(n'j-h1))Mul+1lnv) 

n n 
=Y,((n'j+1)M+1)Mul'*'J^ llnv 

n 

=^j^Mul-hntnv 
1=1 

=(1/exn(n'i'1)(2m'1))Mul+nlnv 

[0067] On the other hand, computational complexity of step 2 in the prior art 3 is as follows. 
[0068] For one value of counter c, (n-(c+1)-h 1)=:(n-c) multiplfcations are necessary, so that computational complic- 
ity is (n-c)Mul, 

[0069] Since counter c changes from 1 to n, the total computational complexity of step 2 is 



(n-c)Mul 

n 

c=1 
n n 

=(1/2xn(n+1)-n)Mut 
=(1/2xn(n'1))Mul 



[0070] Therefore, the overall computational complexity of the prior art 3 is 
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(1/6xn(n+1)(2n'h 1)+ 1/2Kn(n- I^Mul-i-nlnv 
= 1/Sxnx (n ^+3n- 1)Mul+ninv 

5 [0071] It is known that in a general-purpose connputer 1lnv=40Mul when n=5 and \q\=160 (Iql is the bit size of q). 
Accordingly, the overall computational complexity of the prior art 3 is 265MuL 

[0072] As described above, an inverse of an element in an extension field can be computed by solving a system of 
equations on a finite field. Nevertheless, given that computational complexity of inversion needed in solving the system 
of equations is generally large, there still remains the demand to further reduce computational complexity of solving a 
70 system of equations on a finite field, and to thereby reduce computational complexity of inverting an extension field ele- 
ment. 

SUMMARY OF THE INVENTION 

15 [0073] In view of the stated demand, the present invention aims to provide an apparatus, method, and storage 
medium storing a program for solving a system of equations on a finite field with reduced computational complexity, an 
apparatus, method, and storage medium storing a program for inverting an element in an extension field with reduced 
computational complexity, and a communication system and a record medium reproducing apparatus that utilize these 
apparatuses and methods. 

20 [0074] The above object can be achieved by an apparatus for use in encryption or decryption, for solving a system 
of linear equations Ax=b in n unicnowns on a finite field GF(p), where p is a prime, n is a positive integer, y4 is a coef- 
ficient matrix consisting of elements of n rows and n columns, x is a vector of unknowns consisting of n elements, and 
b is a constant vector consisting of n elements, the apparatus including: a parameter storing unit for storing the coeffi- 
cient matrix A and the constant vector b\ a triangular transforming unit for reading the coefficient matrix A and the con- 

25 slant vector b from the parameter storing unit, and transfonming the read coefficient matrix A and constant vector b to 
generate a coefficient matrix C and a constant vector d for a system of linear equations Cx=d in n unknowns that is 
equivalent to the system of linear equations Ax=b, the coefficient matrix C consisting of elements of n rows and n col- 
umns and the constant vector d consisting of n elements, wherein the coefficient matrix A is triangular transformed into 
the coefficient matrix C of upper triangular form without diagonal elements of the coefficient matrix A being changed to 

30 7; a diagonal element inverting unit for calculating inverses of diagonal elements of the generated coefficient matrix C 
on the finite field GF(p)\ and an equation computing unit for solving the system of linear equations Cx=d using the coef- 
ficient matrix C, the constant vector d, and the inverses of the diagonal elements of the coefficient matrix C. to thereby 
solve the system of linear equations Ax=b, 

[0075] With this construction, the system of linear equations can be solved with reduced computational complexity. 

35 [0076] Here, the triangular transforming unit may perfbmri one or more successive transfonmation processes to gen- 
erate the coefficient matrix C and the constant vector d of the system of linear equations Cx=d from the coefficient 
matrix A and the constant vector b of the system of linear equations Ax=b , wherein in each transformation process the 
triangular transforming unit transforms a coefficient matrix and a constant vector of a system of linear equations in n 
unknowns, into a coefficient matrix and a constant vector of a system of linear equations in n unknowns that is equiva- 

40 lent to the system of linear equations before the transfomnation, where the system of linear equafions Ax=b is sub- 
jected to the first transformation process and the system of linear equations Cx=d is generated as a result of the last 
transformation process, wherein in each transformation process the system of linear equations in n unknowns that is 
subjected to the transformation includes one pivotal equation whfch is a linear equation serving as a pivot for the trans- 
formation and one or more object equations which are linear equations to be transformed, and the triangular transform- 

45 ing unit transforms each of the object equations into an equation equivalent to the object equation by defining a first 
coefficient group containing at least one value related to the pivotal equation and a second coefficient group containing 
n-hl values related to the pivotal equation, changing a nonzero coefficient in the object equation to 0, multiplying each 
of a constant and n coefficients in the object equation by the value in the first coefficient group, and subtracting the n-h1 
values in the second coefficient group respectively from the n+1 multiplication results. 

so [0077] With this construction, the triangular transformation is carried out without the diagonal elements of the coef- 
ficient matrix of the system of linear equations being converted to 

[0078] Here, each transfonmation process may have transformation subprocesses each for transforming a separate 
one of the object equations, wherein in each transformation subprocess the triangular transforming unit (a) chooses a 
nonzero coefficient from the pivotal equation and sets the chosen nonzero coefficient into the first coefficient group, (b) 
55 chocfees a nonzero coefficient from the object equation, multiplies each of a constant and n coefficients in the pivotal 
equation by the nonzero coefficient chosen from the object equation, and sets n+7 values obtained by the multiprica- 
tions into the second coefficient group, (c) changes the chosen nonzero coefficient in the object equation to 0, and (d) 
multiplies each of a constant and n coefficients in the object equation by the nonzero coeffk^ient in the first coefficient 
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group, and subtracts the n-h1 values in the second coefficient group respectively from the n+1 multiplication results. 
[0079] Here, each transformation process may have a coefficient group calculation process and transformation 
subprocesses, performed following the coefficient group calculation process, each for transfomning a separate one of 
the object equations, wherein in the coefficient group calculation process the triangular transforming unit (a) chooses 

5 m nonzero coefficients by taking one nonzero coefficient ftx>m each of the pivotal equation and the object equations, 
multiplies each combination of {m-l) of the chosen nonzero coefficients, and sets the m multiplication results into the 
first coefficient group, m being a positive integer no smaller than 2, and (b) multiplies each of a constant and n coeffi- 
cients in the pivotal equation by a multiplication result in the first coefficient group for a combination of nonzero coeffi- 
cients that does not Include a nonzero coefficient chosen from the pivotal equation, and sets n+1 values obtained by 

10 the multiplications into the second coefficient group, and wherein in each of the transformation subprocesses following 
the coefffcient group calculation process, the triangular transforming unit (a) changes a nonzero coefficient chosen from 
the object equation in the coefficient group calculation process, to 0 in the object equation, and (b) multiplies each of a 
constant and n coefficients in the object equation by a multiplication result in the first coefficient group for a combination 
of nonzero coefficients that does not include the nonzero coefficient chosen from the object equation, and subtracts the 

15 n+1 values In the second coefficient group respectively from the n+1 multiplication results. 

[0080] With these constructions, the equivalent system of linear equations can be obtained through the triangular 
transformation. 

[0081 1 Here, when the diagonal elements of the coefficient matrix C are denoted by m/ (i= 1,2,...,n) and the inverses 
of the diagonal elements m/ (i=1,2,...,n) in the finite field GF(p) are denoted by // (i=:1,2,..,,n), the diagonal element 
20 inverting unit may include (a) a multiplying unit for computing 

n 

tf=Y[^k (except m mod p (i=1,2,...,n) 
k=1 

25 

and 

n 

30 t=Y[mi^modp 

k^l 



35 



(b) a first inverting unit for computing 

u=1Amoclp 

and (c) a second inverting unit for computing 

40 I i=ux tf mod p 0=1 ,2,...,n) 

to find the inverses // (i=1,2,...,n), 
[0082] Here, the multiplying unit may calculate 

45 . 

s^-m^^m^ mod p 
S2-s^^m^ mod p 

50 : 

5n-j-'S„.,xin^,^ mod p 

55 in the stated order, then calculate 
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s„=ro„.,xin„ mod p 

tx..J=Sn-5^5n-I ^Od p 

s„.2^in«.j^s„., mod p 

tn.,^5„.^xs„.^ mod p 



25 



35 



Sg=m^xsg mod p 
t^^SjXS^ mod p 
s^-m^xs^ mod p 
t^-m^xs^ mod p 
tj^m^xs^ mod p 



in the stated order, and lastly calculate 



t=tjKm 



for a value y chosen from a set of positive integers {1,2,...,n}. 
[0083] With these constructions, the number of inverse operations needed to compute the inverses of the diagonal 
45 elements can be reduced. 

[0084] As a result, overall computational complexity of the apparatus for solving a system of equations on a finite 
field is reduced. Such an apparatus bears high practical value, as it enables high-speed cryptographic or digital signa- 
ture processing. 

[0085] The above object can also be achieved by an apparatus for use in encryption or decryption, for computing 
so an inverse / of an element y in GF(q} which is an extension field of a finite field GF(p), where p is a prime, q=p" , and 
n is a positive integer, the apparatus including: an equation generating unit for generating a coefficient matrix A and a 
constant vector b for a system of linear equations Ax=b in n unknowns, using the element y and all coefficients of a 
generator polynomial of GF(q) whose root is a; an equation solving unit for finding solutions of the system of linear 
equations Ax=b, the equation soMng unit including the above apparatus for solving the system of linear equations 
55 AxsS; and an inverse computing unit for computing the inverse / using the root a and the solutions found by the equa- 
tion solving unit. 

[0086] With this construction, the Inverse of the extension field element can be computed with reduced computa- 
tional complexity. 
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[0087] The above object can also be achieved by a record medium reproducing apparatus for computing, when 
copyrighted digital content has been encrypted using a discrete logarithm problem on an elliptic curve E over GF(q) as 
a basis for security and recorded on a record medium, an inverse / of an element y in GF(q) to decrypt the encrypted 
digital content recorded on the record medium, where GF(q) is an extension field of a finite field GF(p), p is a prime, 

5 Q=p"» n Is a positive integer, and G is a base point of the elliptic curve E, the record medium reproducing apparatus 
including: an equation generating unit for generating a coefficient matrix A and a constant vector b for a system of linear 
equations A)f=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) whose root 
is a; an equation solving unit for finding solutions of the system of linear equations Ax=b, the equation soh/ing unit 
including the above apparatus for solving the system of linear equations Ax=b ; and an inverse computing unit for com- 

10 puting the inverse / using the root a and the solutions found by the equation soh/ing unit 

[0088] With this construction, the record medium reproducing apparatus can compute the inverse of the extension 
field element with reduced computational complexity. 

BRIEF DESCRIPTION OF THE DRAWINGS 

15 

[0089] These and other objects, advantages and features of the invention will become apparent from the following 
description thereofaken In conjunction with the accompanying drawings that Illustrate a specific ennbodiment of the 

invention. In the drawings: 

20 Fig. 1 is a block diagram showing the construction of an inversion apparatus 1 00 according to an embodiment of 
the invention; 

Fig. 2 is a flowchart showing the general operation of the inversion apparatus 100; 

Fig. 3 is a flowchart showing the operation of triangular transforming a coefficient matrix of a system of equations 
by an equation transfonming unit 102 in the Inversion apparatus 100; 
25 Fig. 4 is a flowchart showing the operation of Inverting diagonal elements of the coefficient matrix in the inversion 
apparatus 100; 

Fig. 5 is a flowchart showing the operation of solving the system of equations in the inversion apparatus 1 00; 
Fig. 6 shows an example of the triangular transformation by the equation transforming unit 102; 
Fig. 7 is a flowchart showing the operation of triangular transforming a coefficient matrix by an equation transfomn- 
30 ing unit 102a as a variant of the invention; 

Fig. 8 shows an example of the triangular transformation by the equation transforming unit 102a; 
Fig. 9 is a sequential view showing the procedure of the conventional EIGamal digital signature scheme; 
Fig. 1 0 is a flowchart showing the conventional triangular transformation of a coefficient matrix; and 
Fig. 1 1 shows an example of the conventional triangular transformation. 

35 

DESCRIPTION OF THE PREFERRED EMBODlMENT(S) 
1. Embodiment 

40 [0090] The following is a description of an inversion apparatus 100 according to an embodiment of the present 
invention. 

1.1. Construction of the Inversion Apparatus 100 

45 [0091] The inversion apparatus 1 00 computes the inverse / of an element x on GF(q) (g=p'' , p a prime, n a posi- 
tive Integer) which is an extension field of a predetermined finite field GF(p). In this embodiment, a generator polynomial 
of the extension field GF(q) is g"'P whose root is a, and the element x is such that x=x^+x ♦ ♦ • -f-^n-i^ • where 
a is an element of GF(q) and p, Xg, Xj, ... , x^.^ are elements of GF(p). 

[0092] As shown in Rg. 1 , the inversion apparatus 1 00 is roughly made up of a parameter storing unit 200, an equa- 
50 tion generating unit 201 , an equation solving unit 202, an Inverse computing unit 203, and an Inverse storing unit 204. 
[0093] Specifically, the inversion apparatus 100 is implemented by a computer system equipped with a microproc- 
essor, a ROM, a RAM, a hard disk, and the like. Through execution of a computer program stored in the hard disk by 
the microprocessor, the equation generating unit 201 , the equation solving unit 202, and the inverse computing unit 203 
are realized. 
55 ' 

(1 ) Parameter Storing Unit 200 

[0094] The parameter storing unit 200 is implemented by the hard disk. The parameter p of the generator polyno- 
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mlal, the root a, and the elements Xq, x,, ... , x^j are stored in the parameter storing unit 200 beforehand. 
(2) Equation Generating Unit 201. 

5 [0095] The equation generating unit 201 reads a, x^, x,, ... , x^-i from the parameter storing unit 200, and gen- 
erates parameters of the following system of equations of // (i=0, 1,2,.,.,n-1) 



10 



15 



25 



using the read values. 
[0096] This system of equations can be written simply as 

AY=B 

where A'xsb. matrix and Y and B are vectors such that 



\ 






0x^ 
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' 1^ 
0 
0 



\ 0 



10 



[0097] The parameters of the system of equations generated by the equation generating unit 201 are the matrix A 
and the vector B. The equation generating unit 201 outputs the generated matrix A and vector S to the equation solving 
15 unit 202. 

[0098] The equation generating unit 201 also outputs a read from the parameter storing unit 200, to the inverse 
computing unit 203. 

(3) Equation Solving Unit 202 

20 

[0099] The equation solving unit 202, when given parameters a,y (ij=1,2,,..,n) and (k=1,2,,..,n) of the following 
system of linear equations in n unknowns for X/ (i=1,2,.,.,n) on a predetermined finite field GF(p) (p a prime), solves the 
system of linear equations in n unlcnowns on GF(p). 



[0100] The equation soh/ing unit 202 includes a constant storing unit 101, an equation transforming unit 102, an 
inverting unit 103, and an equation computing unit 104, as shown in Fig. 1. 

40 (Constant Storing Unit 1 01 ) 

[0101] The constant storing unit 101 is implemented by the RAM. The constant storing unit 101 receives a matrix 
M and a vector v from the equation generating unit 201 and stores them. Here, the matrix M and the vector v are 
respectively 



50 
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^21 ^22 



*2n 



^nl ^n2 
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[0102] For example, the matrix M is the matrix A and the vector v is the vector B. 

(Equation Transforming Unit 102) 

[0103] The equation transfonning unit 102 reads the matrix M and the vector v from the constant storing unit 101 
and triangular transfonns the read matrix M and vector v, to generate a matrix M' (a coefficient matrix consisting of n 
rows and n columns) and a vector v* (a constant vector consisting of n elements) for a system of linear equations 
M'x=v' in n unknowns that is equivalent to a system of linear equations Mx=v in n unl<nowns. 

[0104] In the triangular transformation, the equation transfonning unit 102 transforms the matrix M into an upper 
triangular matrix without changing each diagonal element of the matrix M to 7. 
[0105] Such generated matrix M' and vector v' are 



40 



45 



so 
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^11 ^12 "' ^Xn 
^21 ^22 ~ ^2n 



20 



25 

[0106] This triangular transformation Is carried out in the following way. 

[0107} In the triangular transformation, one or more successive transfonmation processes are performed to gener- 
ate the matrix M' and vector v' of the system of linear equations M'x=v' from the system of linear equations Mx=v. 
[01 08] In each transformation process, the equation transfonning unit 1 02 generates, from a system of linear equa- 
30 tions in n unknowns, a coefficient matrix and a constant vector for a system of linear equations in n unknowns that is 
equivalent to the system of linear equations before the transformation. In this embodiment, a system of linear equations 
in n unknowns that is subjected to the initial transformation process is the system of linear equations Mx=v, whereas 
a system of linear equations in n unknowns that is obtained as a result of the last transformation process is the system 
of linear equations M'x=v'. 

35 [0109] In each transformation process, a system of linear equations in n unknowns before the transformation 
includes one linear equation as a pivotal equation serving as the transfonmation pivot and one or more linear equations 
as object equations to be transformed. 

[0110] Each transformation process has transformation subprocesses as many as the object equations in the sys- 
tem of linear equations, each for transforming a separate one of the object equations to an equation equivalent to the 
40 object equation. Before transfonning the object equation to the equivalent equatton, a first coefficient group and a sec- 
ond coefficient group are defined in each transformation subprocess. 

[Oil 1 ] The first and second coefficient groups are each a group that contains at least one value related to the piv- 
otal equation. To be more specific, the equation transforming unit 1 02 sets one nonzero coefficient of the pivotal equa- 
tion into the first coefficient group. Also, the equation transforming unit 102 multiplies each of a constant and n 
45 coefficients of the pivotal equation by one nonzero coefficient of the object equation, and sets n+l values obtained as 
a result into the second coefficient group. 

[0112] Following this, the equation transfomning unit 1 02 changes the nonzero coefficient pf the object equation to 
0. The equation transfomning unit 1 02 then multiplies each of a constant and n coefficients of the object equation by the 
value in the first coefficient group, and subtracts the m-l values in the second coefficient group respectively from the 
so n+1 multiplication results. In so doing, the object equation is transformed into the equivalent equation where one of its 
nonzero coefficients has become 0. 

[0113] This triangular transformation will be explained in greater detail later. 

[01 1 4] The equation transforming unit 1 02 outputs the generated matrix W and vector v' to the equation computing 
unit 104, and outputs the diagonal elements c// ,2,..,,n) of the matrix M'Xo the inverting unit 103. 
55 [0115] ' As described eariier, when transforming the matrix M into upper triangular form, the equation transforming 
unit 102 also transfonns the vector v so as not to alter the solutions of the system of linear equations Mx=v. The differ- 
ence with the conventional triangular transformation lies in that the diagonal elements of the matrix M are not converted 
to 7. 
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(Inverting Unit 1 03) 

[01 1 6] The inverting unit 1 03 receives the diagonal elements cy (i=1,2,...,n) of the matrix M' from the equation trans- 
forming unit 102. 

5 [01 1 7] For simplicity's sal<e. the diagonal elements Cg (i=1,2,...»n) of the matrix M' are expressed as mi (i=1,2,..,,n) 
here. 

[0118] The inverting unit 103 solves 

n 

10 '/"FI'"* (except mf) modp (i=1^,..„n) 

by first calculating 

15 

Sj^^m^xin^ mod p 
s^=SjXin^ mod p 

20 

^ t„-s„.3''a„., mod p 

t«-i=s„.jxin„ mod p 
^ s„=^„.i'''a„ mod p, t„.2=s„.^''s„ mod p 

Sn-j'^n-p"** «od p, t„.j=s„.s>'s„,^ mod p 
35 s„.2=in„.3xs„.i mod t„_,=s„.g''S^.j mod p 

Sg='m^''Sf mod p, ty^s^^s^ mod p 

40 

3^=013X3 J mod p, tg^m^xs^ mod p 
t^^m^'s^ mod p 

so in this order. The inverting unit 103 then calculates 

t=tf^mf^ modp 

using a predetermined value k (chosen from a set of positive integers {1, 2, ... , n}), and thereby solves 

55 > 

n 

f=]^m, modp 
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[01 19] The Irwerting unit 1 03 next computes 

u=1Amodp 

5 and finally obtains the inverses // (f=1.2,...,n) by 

If^uxtf modp (i=1,2,,..,n) 

[0120] The inverting unit 1 03 outputs the inverses // (i=1,2,...,n) to the equation computing unit 104. 
10 [0121] Thus, the inverting unit 103 computes, on GF(p), the inverses // (i=1,2,,„,n) of the diagonal elements cg 
(1=1 ,2,,..,n) of the matrix W which are given from the equation transforming unit 102. 

(Equation Computing Unit 104) 

15 [0122] The equation computing unit 1 04 receives the matrix M' and the vector v' from the equation transfomning unit 
102, and also receives the inverses // (l=1,2,.„,n) from the Inverting unit 103. 

[0123] TTie equation computing unit 1 04 sets the values n-t , n-2 2, 1,0 in counter J one at a time. For counter 

y, the equation computing unit 104 uses the matrix M\ the vector v*. and the inverses // (i=1,2,...,n) to compute 

when j=n'1 , and compute 

n-1 

whenptn-1. 

30 [0124] The equation computing unit 1 04 then outputs the solutions yj (j=0, 1,2,...,n- 1) to the inverse computing unit 
203. 

[0125] The reason that the solutions of the system of linear equations in n unknowns can be found by the equation 
computing unit 1 04 is shown below. 

[0126] Since the matrix M' received from the equation transfomning unit 1 02 is an upper triangular matrix, the sys- 
35 tern of linear equations M*x=v' can be written as 



with the inverses of the diagonal elements C/y (i=1,2,,..,n) of the matrix M' being // (i=1^,„„n), 
[0127] Accordingly, the solution y^.^ ofXj^i is 

50 

ynr1=^^n<^n^1 "^^^ P 

the solution y^^ 's 

55 yn-2=fn^l(^n-l'<'n-1nyn^l)"'<^P 

and the solutions yy (i=n-3,n-4,...,0) of Xj are 
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5 (4) Inverse Computing Unit 203 

[0128] The inverse computing unit 203 receives the solutions yj (i=0, 1,2,„.,n-1) from the equation computing unit 
104 in the equation solving unit 202, and receives the root a from the equation generating unit 201. The inverse com- 
puting unit 203 calculates the inverse I according to the equation 

using the received solutions yy 1,2,,..,n-1) and root a. The inverse computing unit 203 writes the calculated 
inverse / into the inverse storing unit 204. 
15 [0129] Hence the Inverse / of the element x in the extension field GF(q) is obtained. 

(5) Inverse Storing Unit 204 

[0130] The Inverse storing unit 204 is implemented by the hard disk and stores the inverse / of the element x of the 
20 extension field GF(q). 

I .g. Operation of th e Inversion Apparatus 100 

[0131] The following Is a description on the operation of the above constructed inversion apparatus 100. 

25 

(1) General Operation of the Inversion Apparatus 100 

[0132] The general operation of the inversion apparatus 1 00 is explained below with reference to Fig. 2. 
[0133] The equation generating unit 201 reads the parameter /?, the root a, and Xq, x^, ... , x^/ from the parameter 
30 storing unit 200, and uses them to generate the matrix A and the vector B as the parameters of the system of linear 
equations AY=B in n unknowns for y/ (1=0,1, 2,,..,n-1). The equation generating unit 201 outputs the generated matrix 
A and vector B to the constant storing unit 1 01 in the equation solving unit 202, and outputs the root a to the inverse 
computing unit 203 (SI 01). 

[0134] The equation transforming unit 1 02 in the equation solving unit 202 reads the matrix M and the vector v from 
35 the constant storing unit 1 01 and triangular transfomis the read matrix M and vector v, as a result of which the matrix 
M' and the vector v' for the system of linear equations M*x=v* in n unknowns, that is equivalent to the system of linear 
equations Mx=v, are generated (SI 02). 

[0135] The inverting unit 1 03 In the equation solving unit 202 calculates the inverses // (i=1,2,...,n) of the diagonal 
elements (h=1,2,...,n) of the matrix M' (S103). 
40 [0136] The equation computing unit 1 04 In the equation solving unit 202, through the use of the matrix M\ the vec- 
tor V'. and the inverses // (i=1,2,.,„n), seeks the solutions yy (1=0, 1,2,,,., n-1) of the system of linear equations M*x=v', 
and outputs the solutions yy tf=0, 1,2,..,,n'1) to the inverse computing unit 203 (SI 04). 

[0137] The inverse computing unit 203 receives the solutions yy (l=0,1,2,,„,n-1) from the equation computing unit 
104 and the root a from the equation generating unit 201, finds the inverse / of the element x in the extension field 
45 GF(q) using the received solutions and root, and writes the inverse / into the inverse storing unit 204 (SI 05). 

(2) Operation of Triangular Transfomnation by the Equation Transforming Unit 1 02 

[0138] The operation of the triangular transformation by the equation transforming unit 102 is explained In detail 
50 below with reference to Fig. 3. 

[0139] The equation transforming unit 102 reads the matrix M and the vector v from the constant storing unit 101 
(S1 1 1), and sets counter j at 1 (S1 12). 

[0140] The equation transforming unit 1 02 searches the fth column of the matrix M from the yth to nth rows for an 
element which is not 0 on GF(^>, and sets the row number of a nonzero element found first as k (S1 13). Here, if ky^J 
55 (S1 1^1), the equation transfomning unit 1 02 changes places between the Mh row and the /th row in the matrix M (S1 1 5), 
and changes places between the Mh row and the fth row in the vector v (S1 16). 

[0141] The equation transforming unit 102 sets counter / at J+1 (S1 17), and makes the following settings using ag 
(the element in the /th row and fth column of the matrix ^4) and af 
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a^=0 

a iif=a^a i^-a for l+1<k<n (k=:J+ 1J+2,,..,n) 

5 ^n^g^r^ifij 
(S118). 

[0142] The equation transforming unit 102 then Judges whether (S119). If ktn, the equation transforming unit 
102 increments counter / by 1 (SI 22) and returns to step S118. if hn, the equation transforming unit 102 judges 
10 whether j=n-1 (S1 20). If j^n-1, the equation transfomning unit 1 02 increments counter y by 1 (SI 23) and returns to step 
S1 13. If j=n~1 . the equation transfomning unit 102 sets the matrix M as the matrix M' and the vector v as the vector v*, 
and completes the operation. 

[0143] As described above, this triangular transformation includes transfonnation processes which con'espond to 
the separate values of counter y, and each of the transformation processes includes transfonmation subprocesses 
15 which correspond to the separate values of counter /. 

(Reason for Equivalence between Mx=v and M'x=v') 

[01 44] The reason why the system of linear equations M'x=i^ generated as a result of the triangular transformation 
20 by the equation transforming unit 102 is equhralent to the system of linear equations Mx=v is given below. 

[0145] In each transformation process of the triangular transfonnation, let M/„ and V/„ be a matrix and a vector 
before the transformation, M^ijt and v^ut be a matrix and a vector after the transformation, and L/ and Lj be the /th and 
yth row vectors of the matrix M^. 

[0146] The equation transforming unit 1 02 calculates 



25 



aj^LragxLj 

and, having set the resulting row vector as the /th row of the matrix Mf^, calculates 

the outcome of which is set as the /th row of the vector v^^. The other elements of M^f and the other elements 
of v^trf are respectively equal to the other elements of M/„ and the other elements of V/„. This being the case, the system 
of linear equations 



and the system of linear equations 

M out' out 

have the same solutions, as demonstrated in document 2. 
[0147] Also, the equation transforming unit 102 defines a/y=0 for every Mhat satisfies j+1<i<n. Repeating tiiis proc- 
ess from j=1 to j=n renders all elements in the lower triangle of the matrix 0. Thus, the matrix can be triangular trans- 
45 formed without the solutions of the system of linear equations being altered. 

(3) OF>eration of the Inverting Unit 103 

[0148] The operation of the inverting unit 1 03 is explained in detail below with reference to Rg. 4. 
50 [0149] The inverting unit 103 receives the diagonal elements rrtf (i=1,2,,..,n) of the matrix M' from the equation 
transforming unit 102 (SI 41), and computes 



ti=Yl ^ * (except mi) mod p (h=1f2,...,n) 



(SI 42). The inverting unit 103 then computes 
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tszt i^m ff mod p 

using the predetermined value k (SI 43), and also computes 

u=1Amodp 

(S144). The inverting unit 1 03 finally finds the inverses 

tg=ruxtf modp (i=1,2,...,n) 
(SI 45), and outputs the inverses // (h1,2,..„n) to the equation computing unit 104 (8146). 
(4) Operation of the Equation Computing Unit 104 

[0150] The operation of the equation computing unit 104 is explained in detail below with reference to Rg. 5, 
[0151 ] The equation computing unit 1 04 receives the matrix M' and the vector v'f rom the equation transfomriing unit 
102, and receives the inverses // (i=1,2„.,,n) from the inverting unit 1 03 (SI 61). Having set counter j at n-1 (SI 62), the 
equation computing unit 104 computes 

when i=n-1 , and computes 

n-1 
i=}*1 



when>;tn-1 (8163). 

[0152] The equation computing unit 1 04 judges whether j=0 (SI 64). If i=0, the equation computing unit 1 04 outputs 
the solutions yj Q=0,1,2,...,n'1) to the inverse computing unit 203 (S166). Otherwise, the equation computing unit 104 
decrements counter / by / (SI 65) and returns to step SI 63. 

1.3. Comput ational Complexitv 

[0153] The computational complicity of the equation solving unit 202 is evaluated below. 
(1) Computational complexity of the Equation Transfonning Unit 102 

[0154] In the equation transforming unit 102, computational complexity for one value of counter j (steps 
S1 1 3-Sl 1 9 in Fig. 3) is the following. 

[01 55] First, computational complexity for one value of counter i (step S1 1 8) is broken down as shown below. 

(a) In step S118, the calculation a;;c=a^a,^-a,yxay^ is performed for j+1<k£n (h:^+1 J+2,...,n). This means two 
multiplications are repeated (n-(j+V+'i)=(M) times, so that computational complexity is (2x.(n'J))Mul . 

(b) In step S1 1 8, the calculation bi=a^xbf-af^bj involves two multiplications, so that computational complexity is 
2Mul. 

[0156] Since counter / changes from J+1 to n, the computational complexity of steps SI 13~S1 19 for one value of 
counter j is 

(2x (n'j-h1))Muh<(n-(j+1h1) 
=(2x (n-j)x (n-J+ 1 ))Mu/ 

[0157] In steps SI 12~S120, counter / changes from 7 to n-/, so that the overall computational complexity of the 
equation transfomriing unit 102 is 
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n-1 

'£(2x(n-j)x(n'J-h1))Mut 

n-1 

1=1 
n-1 n-1 

hi hi 

=2Muh< (l/ex.nin- 1)(2n- 1)+ 1/2xn(n- 1)) 
=2Muhc 1/exn(n'1)(2n-1-h3) 
=1/3Muh<.n(n- 1)(2n-h2) 
=(2/3Kn(n'1)(m-1))Mul 



(2) Computational Complexity of the Inverting Unit 103 

[0158] The computational complexity of the inverting unit 103 can be broken down as follows. 

(a) Rnding S|~s„^ and f„ requires n-2 multiplications, so that computational complexity is (n-2)Mul. 

(b) Finding f^.^ requires one muHiplication, so that computational complexity is IMut. 

(c) Finding s„ and f„.^, and ... , and and requires 2x(n'3) multiplications, so that computational com- 
plexity is (2x.(n-3))Mui . 

(d) Finding requires one multiplication, so that computational complexity is IMut. 

(e) Finding t requires one multiplication, so that computational complexity is IMuL 

(f) Finding u=1A mod p requires one inversion, so that computational complexity is llnv, 

(g) Rnding lj=iixtf modp fi=:1,2,.,„n) requires n multiplications, so that computational complexity is nMut. 

[0159] Summing these computational complexity gives the total computational complexity of the inverting unit 1 03 
as 

((n'2)+1+2(rh3)+1+1'i'n)MuN'H/w 
=(4n-5)Mui-h1fnv 

(3) Computational Complexity of the Equation Computing Unit 104 

[0160] In the equation computing unit 1 04, computational complexity for one value of counter J (steps SI 63~S1 65 
in Fig. 5) is as follows. 
[0161] To compute 

when jrzn-l and 

n-1 

When one multiplication and ( n-Q-i-iy-t-l ) multiplications are needed, which makes the computational com- 
plexity of (n-j'+1)Mul. 

[0162] Since counter / changes from 1 to n, the total computational complexity of the equation computing unit 1 04 
is 
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n 

Yl(n-J+1)Mu! 
=(1/2xn(n+1))Mut 

10 (4) Total Computational Complexity of the Equation Solving Unit 202 

[0163] From the foregoing description, the total computational complexity of the equation solving unit 202 is given 
by 

(2/3xn(n- 1 )(n+1))Mul +(4n-5)Mui+1lnv +(1/2xn(n'h 1))Mul 
=(1/6(4n^+3n^+23n-30)}MuMlnv 

[0164] Supposing 1lnv-40Mul in a general-purpose computer when n=5 and lql= 160 {^q\ Is the bit size of q), the 
20 total computational complexity of the equation solving unit 202 can be estimated at 150MuL 

[0165] Thus, the computational complexity of the equation solving unit 202 of the invention is much smaller than 
that of the prior art Such an equation soh^ing unit bears huge practical value, as it enables an apparatus to solve a sys- 
tem of equations on a finite field with reduced computational complexity. 

[0166] Also, such an equation solving unit enables an apparatus to compute an inverse / of an element x in an 
25 extension field GF(q) of a predetenmined finite field GF(p) with reduced computational complexity. 

1.4. Concrete Example 

[0167] The following is a concrete example of the operation of the equation solving unit 202. 
30 [0168] As with the prior art 3, a prime p=31, a generator polynomial f(g)=g^-2, and an element 
x=5a ^+29^ ^-h6a^+19o,-h17 of GF(q) are given. A system of equations to be solved is the same as that in the prior art 
3, as shown in Fig. 6(a). 

[0169] The following calculations are performed: 

35 321=0 

a 22=17^17-19x10=6 mod 31 
323=17x10-19^:27=29 mod 31 

40 

324=17x27-19x 12=14 mod 31 

325=17x12-19x7=9 mod 31 

45 b 2=17x0-19x1=12 mod 31 

[0170] When }=1 (i=2), the system of equations is transfomied as shown in Rg. 6(b). Here, the element in the first 
column and second row has become 0 in a coefficient matrix 41 1 . 

[0171 ] As a result of the transfomnation process for J=1 , the system of equations has become as shown in Rg. 6(c), 
50 where the elements in the first column and third to fifth rows are 0 in a coefficient matrix 421 . 

[0172] As a result of the transfomnation process for j=2, the system of equations has become as shown in Rg. 6(d), 

where the elements in the second column and third to fifth rows are 0 in a coefficient matrix 431 . 

[0173] As a result of the transfonnation process for j=3, the system of equations has become as shown in Rg. 6(e), 

where the elements in the third column and fourth to fifth rows are 0 in a coefficient matrix 441 . 
55 [017^] As a result of the transfonnation process for j=4, the system of equations has become as shown in Rg. 6(f), 

where the element in the fourth column and fifth row is 0 in a coefficient matrix 451 . 

[0175] Next, the diagonal elements in the coefficient matrix 451 are inverted by calculating 
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s ^xm 7x6=9 mod 31 

3^=3 jxm j=9x 17=29 mod 31 

t g=s 2<m ^=29x6=19 mod 31 

t ^=s ^m ^29x30=2 mod 31 

s m g=ex 30=25 mod 3 1 

^3=5 ,xs g=9x25=8 mod 31 

s^=m 3<s^=1 7x25=22 mod 31 

t^m ^xs ^=17x22=2 mod 31 

t ^ =m 2>^s ^=6x22=8 mod 3 1 

t=m iXt ^=17x8=12 mod 31 

u=1/t=1/12=13 mod 31 

I ^=11x1^=13x8=11 mod 31 

1 2=uxt 2=1 3x2=26 mod 31 

I ^=uxtj=1 3x8=11 mod 31 

i4=ux 1^= 13x2=26 mod 31 

lg=ux f 5= 13x 19=30 mod 31 

[0176] Notice that u=1A=1/12=13 mod 31 is the only inverse operation here. 
[0177] Lastly, the system of equations is solved in the following way: 

y 4=1 ^d ^=30x2=29 mod 31 

y T=U^(^ 4-<^ 45^y 4) 

=26x(28'2x29)=26 mod 31 

y2=f^('^3-C34^y3'035Xy^ 

= 1 1x(1-ex26- 1 1x29)=25 mod 31 

yi=f2^(d2-C23^y2'^24^y3'^25^y4) 

=2ex(1 2-29x25- 14x26-9x29) 
=25 mod 31 

yg=l ^x(d i-Ci2<yi-Ci3xy2'C u^Va-^ is>^y4) 
=1 1x(1'10x25-27x25'12x26-7x29) 
=12 mod 31 



1.5. Aoplications 

[0178] In application of the present Invention to an actual comnnunication system such as a cryptographic commu- 
nication system, a digital signature communication system, or an en-or correction communication system, parameters 
such as follows are used. 
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[0179] For a prime p=2p^'1, q=p" , n=5, a generator polynomial f(g)=g^-g'8, and an element 
)(=Xo+XiXa+X2xa +X3xa +X4xa^ of GF(q), a system of equations is defined as 



^0 
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^ 
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x,*8x, 


Xj +8Xj 


Xj ^»x^ 




yi 
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x^^axj 








0 
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^1 




x^^Sx, 
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V" 


^3 


^2 
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where p, ... . x^, and y^, ... , are each 3) bits long, and q and x are each 755 bits long. 
20 2. Modifications 
2.1. Variant 

[0180] As a variant of the equation transfomning unit 1 02 in the equation solving unit 202, an equation transforming 
25 unit 102a is explained below. 

[0181] In the equation transforming unit 102a, each transformation process has one coefficient group calculation 
process and subsequent transformation subprocesses as many as object equations, each for transforming a separate 
one of the object equations. 

[0182] In the coefficient group calculation process, the equation transforming unit 1 02a chooses m nonzero coeffi- 
30 cients by taking one nonzero coefficient from each of the pivotal equation and the object equations in the coefficient 
matrix consisting of n rows and n columns, multiplies each combination of (m-1) of the chosen nonzero coefficients, 
and sets the m multiplication results into a first coefficient group. The equation transforming unit 102a then multiplies 
each of a constant and n coefficients of the pivotal equation by the multiplication result in the first coefficient group for 
a combination of nonzero coefficients that does not include the nonzero coefficient of the pivotal equation, and sets n+1 
35 values obtained as a result into a second coefficient group. 

[0183] Following this, in each of the transformation subprocesses the equation transfomning unit 1 02a changes a 
nonzero coefficient chosen from an object equation to 0, multiplies each of a constant and n coefficients of the object 
equation by the multiplication result in the first coefficient group for a combination of nonzero coefficients that does not 
Include the nonzero coefficient of the object equation, and subtracts the n+1 values in the second coefficient group 
40 respectively from the n+1 multiplication results. 

[0184] The operation of the equation transforming unit 102a is explained below with reference to Fig. 7. The flow- 
chart in Fig. 7 includes steps S1 1 8a-S1 1 8c instead of step S11 8 in Fig. 3. 

[0185] Since the other steps are the same as those in Rg. 3, the following explanation will focus on steps 
S118a~S118c. 

45 [0186] In step 81 18a, the equation transforming unit 102a computes 



55 



for each /cthat satisfies J<k<n (k=JJ+1,...,n). In step SI 18b, the equation transfomriing unit 102a computes 

Wj^=/)yXayj^ 

e=h i^bj 

for each /cthat satisfies j+1<k^n (k=J+1 J+2,...,n). In step SI 18c, having set a/y=0. the equation transforming unit 
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102a computes 

5 bf=hp<bfe 
for each k that satisfies j+1^n ,j+2,.,.,n). 
(Concrete Example) 

10 

[0187] An example of the operation of the equation transforming unit 1 02a is shown below. 

[0188] As with the prior art 3, a prime p=31, a generator polynomial f(g)=g^-2, and an element 
x=5a ^+29ct. ^-h6a^-h19a-h17 of GF(q) are given. A system of equations to be solved is the same as that in the prior art 
3, as shown in Fig. 8(a). 
15 [0189] When J=1, the equation transforming unit 1 02a calculates 

Sj=aj^xa 21=17x19=13 mod 31 

S2=s {xa 21=13x6=16 mod 31 

20 

h^=s^a ^^=16x29=30 mod 31 
h ^=s^a gj=1 6x5=18 mod 31 
25 s g=a ^ixa gi=29x5=21 mod 31 

h 3=s jxs ^=13x21=25 mod 31 
s 4=a 3|XS g=ex21=2 mod 31 

30 

h2=a J ^xs ^=17x2=3 mod 31 
h ^=a 2ixs ^=19x2=7 mod 31 

35 and then calculates 

W2=h jxa 12=^ 10=8 mod 31 
Wj=h ^xa ^2=7x27=3 mod 31 

40 

w^=h jxa i4=7x 12=22 mod 31 
Wg=h ixa ^^=7x7=18 mod 31 
45 e=h |Xd ,=r7^ 1=7 mod 31 

[0190] When i=2 U=1), the equation transfomning unit 102a calculates 

321=0 

50 

a 22=^ 22-^2=^ 1 7-8= 12 mod 31 
a 23=^ ^^23'^ 10-3=27 mod 31 

4 

55 ' a 24=h ^a 24-w 4=3x27-22=28 mod 31 

a 25=h a 25 - w 5=3x 12- 18=18 mod 3 1 
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b 2=h 2-e=3x0-7=24 mod 31 

[0191] According to this method, only one multiplication is needed to find a/^ unlike the first embodiment which 
needs two multiplications, so that computational complexity is further reduced. 
5 [0192] With the above computations, the system of equations is transfomned as shown in Rg. 8(b), where the ele- 
ment in the first column and second row has become 0 in a coefficient matrix 51 1 . 

[0193] As a result of the transfomnation process for j=1, the system of equations has become as shown in Rg. 8(c), 
where the elements in the first column and third to fifth rows are a in a coefficient matrix 521 . 
[0194] Next, when J=2, the equation transforming unit 102a calculates 

10 

s j=:a 22<a ^12x2=24 mod 31 
h ^xa^24x 7=13 mod 31 
15 h ^=s a 5^=24x25= 1 1 mod 31 

s 4=a 42X3 5^7^25=20 mod 31 
h 3=a 2^X5 4= 12x20=23 mod 3 1 

20 

h 2=3^2^3 4=2x20=9 mod 31 

and then calculates 
25 23=^27=26 mod 31 

w 24=9x^=4 mod 31 
Wg=h2xa25=9x 18=7 mod 31 

30 

e=h 2X b 2=9x24=30 mod 3 1 

[0195] As a result of the transfomnation process for J=2, the system of equations has become as shown in Fig. 8(d), 
where the elements in the second column and third to fifth rows are 0 in a coefficient matrix 531 . 
35 [0196] Next, when j=3. the equation transforming unit 102a calculates 

^ 5=^ 33^^ 43=^ ^4=79 mod 31 
^4=^ 33^^53-^ 12=3 mod 31 

40 

h 3=34^3 sj=14x 12=13 mod 31 

and then calculates 

45 W4=h ^3^4=13x1=13 mod 31 

Wg=h gxa 35=1 3x 7=29 mod 31 
e=h ^xij 3= 13x26=28 mod 31 

50 

[0197] As a result of the transfomnation process for j=3, the system of equations has become as shown in Fig. 8(e), 
where the elements in the third column and fourth to fifth rows are 0 in a coefficient matrix.541. 
[0198] Next, when j=4, the equation transforming unit 102a calculates 

55 i h g=3 44=16 mod 31 

h 4=3 ^=14 mod 31 
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and then calculates 

Wg=h^xa^g=1 4x26=23 mod 31 

5 e=h^b ^=14x23=12 mod 31 

[0199] As a result of the transfonmation process for i=4, the system of equations has become as shown in Rg. 8(f), 
where the element in the fourth column and fifth row is 0 in a coefficient matrix 551 . 
[0200] Here, let C=A and D=S, and the diagonal elements are inverted by computing 

10 

s j=m ^xm 2=17x12=18 mod 31 
S2=s ^xm ^18x8=20 mod 31 
15 tg=S2xm ^=20x16=10 mod 31 

t ^szs gxm s=20x22=6 mod 31 
Sg=m4xmg=1 6x22=11 mod 31 

20 

t^=s jXSg=18x 1 1=12 mod 31 
s^=m^s ^8x11=26 mod 31 
25 1 2=m ^xs ^=17x26=8 mod 31 

t , =m ^s^= 12x26=2 mod 31 
t=m jX 1 1 =17x2=3 mod 31 

30 

u=1A=1/3=21 mod 31 
I j=uxt ^=21x2=11 mod 31 
35 1 2=uxt 2^21x8=13 mod 31 

lj=uxt^21x 12=4 mod 31 



i ^=uxt 4=21x6=2 mod 31 



40 



[0201] Notice that u=1A=1/3=21 mod 31 is the only inverse operation here. 
[0202] Lastly, the system of equations is solved as follows: 

45 

y4=lQXd^=24x 18=29 mod 31 
=2x(23'2ex29)=26 mod 31 

50 

yz=l3X(d3'C34xy3'C3sXy4) 
=4x(26'1x26-7x29)=25 mod 31 

55 ' yi=l2>^(d2'<^23>^y2-<^24<y3'<^25^y4) 

= 13x (24'27x25-28x26-18x29) 
=25 mod 31 
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y 0=' 1^ i-^2^y 1 i^y2'^ u^ys-^ is^yJ 

=1 1x(1-10x25-273<25-12x26-7x29) 
=12 mod 31 



(Computational Complexity of the Equation Transfomiing Unit 102a) 

[0203] Computational complexity of the equation transfomiing unit 102a for one value of counter / (steps 
S1 13-^-51 19 in Fig. 7) is measured below. 
10 [0204] In step S1 1 8a, (3x (n-J+1)'6) multiplications are needed to find hf^ ( k=jj-h 1,...,n), so that computational com- 
plexity is (3x(n']+1)'6)MuL 

[0205] In step S1 1 8b. (n-g+1)+1+1) multiplications are needed to find Wf^ (k=j+1 J+2,...,n) and e, so that compu- 
tational complexity is (n-J-hl)MuL 

[0206] in step S11 8c, for one value of counter /, computational complexity is as follows. 

15 

(a) To compute a i,^=h /xa ff^-w for j-h1<k<n (k=j+1 ,j+2,...,n), one mumpllcatlon is repeated (n-(l+1)+1)=(n'j) times, 
so that computational complexity is (n-l)MuL 

(b) To compute bf^hjXbfe , one multiplication is performed, so that computational complexity is IMuL 

20 [0207] Since counter / changes from j-hl to n, the computational complexity of step S1 1 8c for all values of counter 



25 



(n-H- 1)Muh<(rh(i-h1)+ 1) 
=.(M)x(n-J^1))Mui 

[0208] Accordingly, the total computational complexity of steps S1 1 8a-S1 1 8c for one value of counter / is 

((3x (n-J-h1)'6)+(n'J'h1)+(n-J)(n-j+1))Mul 
=(4x (n-j+ 1)'6+(rhj)(n-l+ 1))Mul 
=((n-j-h4)(n-j-h 1 )-6)Mul 

[0209] Since counter j changes from 1 Xon-I, the total computational complexity of the equation transforming unit 
102a is 



35 



£ ((n-J+4)(n-J+1)'6)Mul 

n-l 

n-1 n-1 n-1 

=zlMutx(Y^f-i-5xY^j'2xJ^ 1) 

= lMutx(1/6xn(n- 1)(2n' 1)+5^n(n-1)-2(n'1)) 

=1Mutx(1/exn(n- 1)(2n-1+15)-2(n-1)) 

=1Mutx(1/6xn(n'1)(2n+14)-2(n'1)) 

= 1Mulx(1/3xn(n- 1)(m-7)'2(n- 1)) 
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= 1Mutx{1/3x (n-1)(n +7n-6)) 



=(1/3xn^+2n^'13/3xn+2)Mut 
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[021 0] Therefore, the overall computational complexity of the equation soh/ing unit 202 equipped with the equation 
transforming unit 102a is given by 

n ^+2n^' 13/3xm'2)+(4n-5)-i' 1/2xn(n+ 1 ))Mul + linv 
^ =(1/3xn^'h5/2xn^+1/Gxn-3)Mul+ 11m 

[0211) Supposing 1tnv=40Mul when n=5, the overall computational complexity can be estimated at 142MuL 
10 2.2. Other M odifications 
[0212] 

(1) In a communication system, such as a cryptographic communication system, a digital signature communication 
15 system, or an enror correction communication system, whose security is based on the discrete logarithm problem 

on an elliptic curve E over an extension field GF(q) of a finite field GF(p) where p is a prime, q=p'' , n is a positive 
integer, and G is a base point of £, the equation solving unit and the inversion apparatus of the invention may be 
used to calculate inverses of elements in the extension field GF(q). One example of cryptographic communication 
systems is an e-mail system on the Internet whereby messages are encrypted before transmission. One example 

20 of digital signature communication systems is an electronic banking system. One example of error correction com- 
munication systenns Is an e-mail system whereby, in such cases that part of transmitted message is dropped due 
to deterioration in quality of a communication line, the error is detected and corrected. 

Also, the equation solving unit and the inversion apparatus of the invention, may be used for encryption in a 
recording apparatus that encrypts copyrighted digital content using the elliptic curve discrete logarithm problem as 

25 the basis for security and records the encrypted digital content into a record medium such as a DVD or a semicon- 
ductor memory, or decryption in a reproducing apparatus that decrypts the encrypted digital content stored in the 
record medium to reproduce the digital content 

By applying the invention to these systems, the inverses of extension field elements can be computed with 
small computational complexity. 

30 In such applications, the equation solving unit and the inversion apparatus of the invention can be imple- 

mented, for example, as firmware stored in a mobile phone or a circuit board equipped in a personal computer. 

(2) Though the generator polynomial of the fomn g"'fi has been used in the above embodiment, for an ordinary gen- 
erator polynomial of the nth degree such as 

the inverse / of an element x in an extension field GF(q) {q=p" , n a positive integer) of a predetermined 
finite field GF(p) can be calculated in a similar manner 

Let an ordinary polynomial f(g) of the nth degree be the generator polynomial and a be the root of f(g). For an 
40 element x=Xq^x • • • +x„.^a""* in the extension field GF(q), when the coefficient of a'*' in {x>ca^^ mod f(a)) 
is denoted by a system of linear equations in n unknowns can be written as 



The reason that the system of linear equations in n unknowns can be written like this is given below. 
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The equations 

^ =1modf(a) 
and 

=xxyg-t'(xxamodf(a))xy^+* • • -t^xxa'^^ modf(a))xy^j 

hold. The coefficient of a*""* is given by 

t5 a ;,xy ,+ • • • +a .„xy„.^ 

The coefficients of a*"^ {i>2) are all 0 and the coefficient of (/=t) is 7. Hence the above system of linear 
equations in n unl<nowns is derived. 

(3) The invention nnay be the equation solving method and the inversion method used in the above described equa- 
20 tion solving unit and inversion apparatus. The invention may also be computer programs for implementing these 

methods, or digital signals for executing the computer programs. 

Also, the invention may be computer-readable storage mediums, such as floppy disks, hard disks. CD-ROMs, 

MOs. DVDs, DVD-ROMs, DVD-RAMS, or semiconductor memories, that store the computer programs or the digital 

signals. Likewise, the invention may be the computer programs or digital signals stored in such storage mediums. 
25 Also, the invention may be realized by transfen-ing the computer programs or the digital signals on a carrier 

wave via a network such as a telecommunication network, a radio or cable communication network, or the Internet. 
Further, the invention may be realized by distributing the computer programs or the digital signals stored in the 

storage mediums or transfemng the computer programs or the digital signals on the carrier wave via the network 

so that they can be used in other computer systems. 
30 (4) Various combinations of the embodiment and the modifications stated above are possible. 

Although the present invention has been fully described by way of examples with reference to the accompany- 
ing drawings, it is to be noted that various changes and modifications will be apparent to those skilled in the art. 

Therefore, unless such changes and modifications depart from the scope of the present invention, they should be 

construed as being included therein. 

35 

Claims 

1. An apparatus for use in encryption or decryption, for solving a system of linear equations Ax=b in n unknowns on 
a finite field GF(p), where p is a prime, n is a positive integer, A is a coefficient matrix consisting of elements of n 

40 rows and n columns, x is a vector of unknowns consisting of n elements, and bis a constant vector consisting of 
n elements, the apparatus comprising: 

parameter storing means for storing the coefficient matrix A and the constant vector b\ 

triangular transforming means for reading the coefficient matrix A and the constant vector b from the parame- 

45 ter storing means, and transforming the read coefficient matrix A and constant vector b to generate a coeffi- 

cient matrix C and a constant vector d for a system of linear equations Cx=d in n unknowns that is equivalent 
to the system of linear equations Ax=b, the coefficient matrix C consisting of elements of n rows and n col- 
umns and the constant vector d consisting of n elements, wherein the coefficient matrix A is triangular trans- 
formed into the coefficient matrix C of upper triangular form without diagonal elements of the coefficient matrix 

50 A being changed to 1', 

diagonal element inverting means for calculating inverses of diagonal elements of the generated coefflcient 
matrix C on the finite field GF(p)\ and 

equation computing means for solving the system of linear equations Cx=d using the coeffrcient matrix C, the 
constant vector d, and the inverses of the diagonal elements of the coefficient matrix C, to thereby solve the 
55 t system of linear equations Ax=^. 

2. The apparatus of Claim 1 , 

wherein the triangular transforming means perfomis one or more successive transformation processes to generate 
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the coefficient matrix C and the constant vector d of the system of linear equations Cx=a from the coefficient 
matrix A and the constant vector b of the system of linear equations Ax=b , 

wherein in each transformation process the triangular transforming means transforms a coefficient matrix and a 
constant vector of a system of linear equations in n unknowns, into a coefficient matrix and a constant vector of a 
system of linear equations in n unknowns that is equivalent to the system of linear equations before the transfor- 
mation, where the system of linear equations Ax=b is subjected to the first transformation process and the system 
of linear equations Cx=d is generated as a result of the last transformation process, 

wherein in each transformation process the system of linear equations in n unknowns that is subjected to the trans- 
formation includes one pivotal equation which is a linear equation serving as a pivot for the transformation and one 
or more object equations which are linear equations to be transfbmned, and the triangular transforming means 
transforms each of the object equations into an equation equivalent to the object equation by 

defining a first coefficient group containing at least one value related to the pivotal equation and a second coef- 
ficient group containing n-hl values related to the pivotal equation, 
changing a nonzero coefficient in the object equation to 0, and 

multiplying each of a cor^stant and n coefficients in the object equation by the value in the first coefficient group, 
and subtracting the n-hl values in the second coefficient group respectively from the n-h1 multiplication results. 

The apparatus of Claim 2, 

wherein each transformation process has transformation subprocesses each for transforming a separate one of the 
object equations, 

wherein in each transformation subprocess the triangular transforming means 

(a) chooses a nonzero coefficient from the pivotal equation and sets the chosen nonzero coefficient into the 
first coeffteient group, 

(b) chooses a nonzero coefficient from the object equation, multiplies each of a constant and n coefficients in 
the pivotal equation by the nonzero coefficient chosen from the object equation, and sets n+l values obtained 
by the multipltoations into the second coefficient group, 

(c) changes the chosen nonzero coefficient in the object equation to 0, and 

(d) multiplies each of a constant and n coefficients in the object equation by the nonzero coefficient in the first 
coefficient group, and subtracts the n+1 values in the second coefficient group respectively from the n+l mul- 
tiplication results. 

The apparatus of Claim 3, 

wherein when the diagonal elements of the coefficient matrix C are denoted by m/ (i=1 ,2,...,n} and the inverses of 
the diagonal elements m/ (i=1,2,...,n) in the finite field GF(p) are denoted by // (h=1^,...,n), the diagonal element 
inverting means includes 

(a) a multiplying unit for computing 

n 

fpj~jm|f (except m i) mod p (i=1,2,...,n) 



and 

n 



(b) a first inverting unit for computing 

u=1Amodp 

and 

(c) a second inverting unit for computing 
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lf=ifxtj modp (i=1,2,,..,n) 

to find the inverses If (i=1,2,...,n). 

5 5. The apparatus of Claim 4, 

wherein the muitiplying unit cateulates 



10 



s^-Sj^iflj mod p 



in the stated order, then calculates 



20 



35 



40 



«^n-2=-s„.,xs„ mod p 

t„-,--5„.^xs^.^ mod p 
Sg^m^^s^ mod p 



tj-s^ mod p 
s^=jnjX5^ mod p 
t^^m^xs^ mod p 
tj^^jn^xs^ mod p 

in the stated order, and lastly calculates 

t=tfKmj 
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for a value j chosen from a set of positive integers {1,2,...,n}, 

6. The apparatus of Claim 2, 

wherein each transfomnation process has a coefficient group calculation process and transfomiation subproc- 
5 esses, perfonmed following the coeffldent group calculation process, each for transfbnming a separate one of the 

object equations, 

wherein in the coefficient group calculation process the triangular transforming means 

(a) chooses m nonzero coefficients by talcing one nonzero coefficient from each of the pivotal equation and the 
10 object equations, multiplies each combination of {m-l) of the chosen nonzero coefficients, and sets the m mul- 
tiplication results into the first coefficient group, m being a positive Integer no smaller than 2, and 

(b) multiplies each of a constant and n coefficients in the pivotal equation by a multiplication result in the first 
coefficient group for a combination of nonzero coefficients that does not include a nonzero coefficient chosen 
from the pivotal equation, and sets m-l values obtained by the multiplications into the second coefficient group, 

IS and 

wherein in each of the transformation subprocesses following the coefficient group calculation process, the tri- 
angular transfomning means 

(a) changes a nonzero coefficient chosen from the object equation in the coefficient group calculation process, 
to 0 in the object equation, and 

20 (b) multiplies each of a constant and n coefficients in the object equation by a multiplication result in the first 

coefficient group for a combination of nonzero coefficients that does not include the nonzero coefficient chosen 
from the object equation, and subtracts the n-tl values in the second coefficient group respectively from the 
n+1 multiplication results. 

25 7. The apparatus of Claim 6, 

wherein when the diagonal elements of the coefficient matrix C are denoted by rrif (i=1,2,.,.,n) and the Inverses of 
the diagonal elements mj (i=1,2,...,n) in the finite field GF(p) are denoted by // (h=1,2,,..,n), the diagonal element 
inverting means includes 

3o (a) a multiplying unit for computing 

n 

''"IT'"* Cexcepf m^) mod p (i=1,2,...,n) 

35 

and 

n 

(b) a first inverting unit for computing 

45 

u=1Amodp 

and 

(c) a second inverting unit for computing 

50 

t f=ux tj mod p (i= 1,2,..,,n) 

to find the inverses // (i=1,2,...,n). 

A 

55 8. The^ apparatus of Claim 7, 

wherein the multiplying unit calculates 
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10 



15 



in the stated order, then calculates 



s^-JHjXjn^ mod p 
s^— SjXiHj mod p 

5«.j='5„,,xin„.^ mod p 

t„.i=s^.3^in„ ^od p 
s„-in^.^xin„ mod p 

tn>2=S^-.^5n ^Od P 



^ t^.3=s„.5xs^., mod p 

35 ^n-4='^n^6''^n^2 ^^d p 

s^-m^^Sg mod p 

40 

t^=s^xs5 mod p 
3^=^mj^s^ mod p 

45 

t^-m^xs^ mod p 
t^=jn^xs^ mod p 

50 

in the stated order, and lastly calculates 

t=tjxmj 

55 \ 

for a value j chosen from a set of positive integers {1,2,..,,n}. 
9- An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
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extension field of a finrte field GF(p}, where p is a prime, q=p ' , and n is a positive integer, the apparatus compris- 
ing: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
5 equations Ax=b in n unknowns, using the element y and all coeffidents of a generator polynomial of GF(q) 

whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 1; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
io solving means. 

10. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime, q=p" , and n is a positive integer, the apparatus compris- 
ing: 

IS 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unlaiowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
20 means including the apparatus of Claim 2; and 

inverse computing means for computing the inverse / using the root a and the solutions found by tlie equation 
solving means. 

11. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
25 extension field of a finrte field GF(p), where p is a prime, q=p" , and n is a positive integer, the apparatus compris- 
ing: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
30 whose root is a; 

equation solving means for finding solutions of the system of linear equations >Ax=/?, the equation solving 
means including the apparatus of Claim 3; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

35 

12. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime. q=p" , and n is a positive integer, the apparatus compris- 
ing: 

40 equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 

equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 4; and 
45 inverse computing means for computing the Inverse / using the root a and the solutions found by the equation 

solving means. 

13. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) whk^h is an 
extension field of a finite field GF(p), where p is a prime, q=p" , and n is a positive integer, tiie apparatus compris- 

50 ing: 

equation generating means for generating a coefficient matrix y4 and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
, whose root is a; 

55 ^equation soh/ing means for finding solutions of the system of linear equations Ax=b , the equation solving 

means including the apparatus of Claim 5; and 

inverse computing means for computing the Inverse / using the root a and the solutions found by the equation 
solving means. 
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14. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime. q=p" , and n is a positive integer, the apparatus compris- 
ing: 

5 equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 

equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 6; and 
10 inverse computing means for computing the inverse / using the root a and the solutions found by the equation 

solving means. 

15. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime, q=p" , and n is a positive integer, the apparatus compris- 

15 ing: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unl<nowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

20 equation solving means for finding solutions of the system of . linear equations Ax^b, the equation solving 

means including the apparatus of Claim 7; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

25 16. An apparatus for use in encryption or decryption, for computing an inverse / of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime, q=p" , and n is a positive integer, the apparatus compris- 
ing: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
30 equations Ax=b in n unloiowns, using the element y and all coefficients of a generator polynomial of GF(q) 

whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 8; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
35 solving means. 

17. A record medium reproducing apparatus forcomputing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 

40 medium, where GF(q) is an extension field of a finite field GF(p), p is a prime, q=p" y r? Is a positive integer, and G 
is a base point of the elliptic curve E, the record medium reproducing apparatus comprising: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
45 whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=:b» the equation solving 
means including the apparatus of Claim 1 ; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

50 

18. A record medium reproducing apparatus forcomputing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y In GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q) is an extension field of a finite field GF(p), p is a prime, q=p" , n is a positive integer, and G 

55 i^ a base point of the elliptte curve E, the record medium reproducing apparatus comprising: 

equatk>n generating means for generating a coeffident matrix A and a constant vector 6 for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
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whose root is a; 

equation solving means for finding solutions of the systenn of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 2; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
5 solving means. 

19. A record medium reproducing apparatus for computing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 

10 medium, where GF(q) Is an extension field of a finite field GF(p), p is a prime, g=p" , n is a positive integer, and G 
is a base point of the elliptic curve £, the record medium reproducing apparatus comprising: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
15 whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b , the equation solving 
means including the apparatus of Claim 3; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

20 

20. A record medium reproducing apparatus for computing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q) is an extension field of a finite field GF(p), p is a prime. q=p" » n is a positive integer, and G 

25 is a base point of the einptic curve E, the record medium reprodudng apparatus comprising: 

equation generating means for generating a coeffident matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

30 equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 

means Including the apparatus of Claim 4; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

35 21 . A record medium reproducing apparatus for computing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q) is an extension field of a finite field GF(p), p is a prime, q=p" , n is a positive Integer, and G 
is a base point of the elliptic curve E, the record medium reprodudng apparatus comprising: 

40 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
45 means including the apparatus of Claim 5; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

22. A record medium reprodudng apparatus for computing, when copyrighted digital content has been encrypted using 
50 a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an Inverse / of an element y In GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q) Is an extension field of a finite field GF(p), p is a prime, q=p" , n is a positive Integer, and G 
is a base point of the elliptic curve £, the record medium reprodudng apparatus comprising: 

55 Equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 

equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b , the equation solving 
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means including the apparatus of Claim 6; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

A record medium reproducing apparatus for computing, when copyrighted digital content has been encrypted using 
a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 
medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q) is an extension field of a finite field GF(p), p is a prime. q=p" , n is a positive integer, and G 
is a base point of the elliptic curve E, the record medium reproducing apparatus comprising: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b, the equation solving 
means including the apparatus of Claim 7; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

24. A record medium reproducing apparatus for computing, when copyrighted digital content has been encrypted using 
20 a discrete logarithm problem on an elliptic curve E over GF(q) as a basis for security and recorded on a record 

medium, an inverse / of an element y in GF(q) to decrypt the encrypted digital content recorded on the record 
medium, where GF(q} is an extension field of a finite field GF(p), p is a prime, gsp", n is a positive integer, and G 
is a base point of the elliptic curve E, the record medium reproducing apparatus comprising: 

equation generating means for generating a coefficient matrix A and a constant vector b for a system of linear 
equations Ax=b in n unknowns, using the element y and all coefficients of a generator polynomial of GF(q) 
whose root is a; 

equation solving means for finding solutions of the system of linear equations Ax=b , the equation solving 
means including the apparatus of Claim 8; and 

inverse computing means for computing the inverse / using the root a and the solutions found by the equation 
solving means. 

25. A method for solving a system of linear equations Ax=b in n unknowns on a finite field GF(p) where p is a prime, 
/? is a positive integer, is a coefficient matrix consisting of elements of n rows and n columns, x is a vector of 

35 unknowns consisting of n elements, and d is a constant vector consisting of n elements, for use in encryption or 
decryption in an apparatus equipped with parameter storing means which stores the coefficient matrix A and the 
constant vector b, the method comprising: 

a triangular transforming step for reading the coefficient matrix A and the constant vector b from the parameter 
storing means, and transforming the read coefficient matrix A and constant vector b to generate a coefficient 
matrix C and a constant vector d for a system of linear equations Cx-d in n unknowns that is equivalent to the 
system of linear equations Ax=b , the coefficient matrix C consisting of elements of n rows and n columns and 
the constant vector d consisting of n elements, wherein the coefficient matrix A is triangular transformed into 
the coefficient matrix C of upper triangular form without diagonal elements of the coeffteient matrix A being 
changed to 1; 

a diagonal element inverting step for calculating inverses of diagonal elements of the generated coefficient 
matrix C on the finite field GF(p); and 

an equation computing step for solving the system of linear equations Cx=d using the coefficient matrix C, the 
constant vector d, and the inverses of the diagonal elements of the coefficient matrix C, to thereby solve the 
system of linear equations Ax^b, 

26. The method of Claim 25, 

wherein the triangular transfonning step includes one or more successive transformation processes to generate 
the coefficient matrix C and the constant vector d of the system of linear equations Cx=d from the coefficient 
55 matrix A and the constant vector b of the system of linear equations Ax=b , 

wherein In each transformation process a coefficient matrix and a constant vector of a system of linear equations 
in n unknowns are transformed into a coefficient matrix and a constant vector of a system of linear equations in n 
unknowns that is equivalent to the system of linear equations before the transfomriation, where the system of linear 



23. 
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equations Ax=b is subjected to the first transformation process and the system of linear equations Cx=d is gen- 
erated as a result of the (ast transformation process, 

wherein in each transformation process the system of linear equations in n unknowns that is subjected to the trans- 
formation includes one pivotal equation which is a linear equation serving as a pivot for the transformation and one 
5 or more object equations which are linear equations to be transformed, and each of the object equations is trans- 

formed into an equation equivalent to the object equation by 

defining a first coefficient group containing at least one value related to the pivotal equation and a second coef- 
ficient group containing m-l values related to the pivotal equation, 
10 changing a nonzero coefficient in the object equation to 0, and 

multiplying each of a constant and n coefficients in the object equation by the value in the first coefficient group, 
and subtracting the n+1 values in the second coefficient group respectively from the n+1 muftlplication results. 

27. The method of Claim 26, 

IS wherein each transformation process has transformation subprocesses each for transforming a separate one of the 
object equations, 

wherein in each transformation subprocess 

(a) a nonzero coefficient Is chosen from the pivotal equation and set into the first coefficient group, 
20 (b) a nonzero coefficient is chosen from the object equation, each of a constant and n coefficients in the pivotal 

equation is multiplied by the nonzero coefficient chosen from the object equation, and n+7 values obtained by 
the multiplications are set into the second coefficient group, 

(c) the chosen nonzero coefficient in the object equation is changed to 0, and 

(d) each of a constant and n coefficients in the object equation is multiplied by the nonzero coefficient in the 
25 first coefficient group, and the m-l values in the second coefficient group are subtracted respectively from the 

n-hl multiplication results. 

28. The method of Claim 27, 

wherein when the diagonal elements of the coefficient matrix C are denoted by n?/ (i=1,2,„.,n) and the inverses of 
30 the diagonal elements rrij (h=:1,2,,.,,n) in the finite field GF(p) are denoted by // (i=:1^,...,n), the diagonal element 
inverting step includes 

(a) a multiplying substep for computing 

35 n 

tf-Yi'^k (except mj) modp (i=1^,...,n) 



and 



n 

r=J^mj^ modp 

45 

(b) a first inverting substep for computing 

u=1A mod p 

so 

and 

(c) a second inverting substep for computing 

4 lf=uxtg mod p (is 1,2,...,n) 

55 

to find the inverses // p=1,2,.,.,n), 
29. The method of Claim 28, 
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wherein the multiptying substep calculates 

Sj=inj,xjn^ mod p 

^ S2=Sj^mj mod p 

10 

s„.j-s„.^xin„,2 mod p 

15 

in the stated order, then calculates 

20 t„-s„.3xin„., mod p 

t«.i-s„.jxia^ mod p 

s„-in„ , xm„ mod p 

n n~i ft 

25 

t„-^=s„.,xs„ mod p 

Sn.l-^n-l^S^ mod p 



30 





*"nO "^a-l 


mod p 






mod p 


35 




mod p 


40 


s^^OT^xSg inod 


P 




t^^s^^s^ mod 


P 


45 


s^-mj^s^ mod 


P 




t2-m^xs^ mod 


P 


50 


tj-m^xs^ mod 

in the stated order, and lastly calculates 


P 


55 


t=tjxmj 

for a value /chosen from a set of positive integers {1,2,...,n}. 





30. The method of Claim 26, 
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wherein each transformation process Includes a coefficient group calculation process and transfomiation subproc- 
esses, perfomned following the coefficient group calculation process, each for transforming a separate one of the 
object equations, 

wherein in the coefficient group calculation process 

5 

(a) m nonzero coefTicients are chosen by taking one nonzero coefficient from each of the pivotal equation and 
the object equations, each combination of (m-l) of the chosen nonzero coefficients is multiplied, and the m 
multiplication results are set into the first coefficient group, m being a positive integer no smaller than 2, and 

(b) each of a constant and n coefficients in the pivotal equation Is multiplied by a multiplication result in the first 
10 coefficient group for a combination of nonzero coefficients that does not include a nonzero coefficient chosen 

from the pivotal equation, and n-h1 values obtained by the multiplications are set into the second coefficient 
group. 

wherein in each of the transformation subprocesses following the coefficient group calculation process 

(a) a nonzero coefficient chosen from the object equation in the coefficient group calculation process is 
75 changed to 0 in the object equation, and 

(b) each of a constant and n coefficients in the object equation Is multiplied by a multiplication result in the first 
coefficient group for a combination of nonzero coefficients that does not include the nonzero coefficient chosen 
from the object equation, and the n+i values in the second coefficient group are subtracted respectively from 
the n+1 multiplication results. 

20 

31. The method of Claim 30, 

wherein when the diagonal elements of the coefficient matrix C are denoted by m/ (i=1,2,,..,n) and the inverses of 
the diagonal elements n?/ (h=1,2,,..,n) in the finite field GF(p) are denoted by // (h=1^,..,,n), the diagonal element 
inverting step includes 

25 

(a) a multiplying substep for computing 

n 

tr=Y\^k (except mj) mod p (i=1,2,...,n) 

30 ksl 



and 



k=1 



40 (b) a first inverting substep for computing 

u=1A mod p 

and 

45 (c) a second inverting substep for computing 

li=uxtf modp (i=1J2,...,n) 

to find the inverses // 0='f»2,...,n). 

so 

32. The method of Claim 31 , 

wherein the multiplying substep calculates 



55 
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s^'='ni2^ni2 ittod p 
S2=s^xmj mod p 

10 

in the stated order, then calculates 

t^.i=s^_j^Jn„ mod p 

20 

t„.2=s„-4>^s^ mod p 

^n-I=^n-2''^n ^Od P 



25 





^n^a-'^n^S^^n-l ^Od p 




5«-2=^n-J^-S„., mod p 


30 


t„-,-s„-^^s„.^ mod p 


35 


s^^m^xs^ mod p 
tj—Sj^s^ mod p 


40 


s^^OTj^s^ mod p 
t^'^m^xs^ mod p 


45 


t^^m^^s^ mod p 

in the stated order, and lastly calculates 

t=tjKmj 



50 

for a value y chosen from a set of positive integers (1,2,...,n}. 
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FIG. 3 
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FIG. 4 

INVERTION OF DIAGONAL ELEMENTS 
START 



,S141 



DL^GONAL ELEMENTS RECEIVED 



S142 



ti =jnpk(EXCEPT mi) modp(i =1.2.— .n) 



'S143 



t = tkXmk mod p 



,S144 



1 



u = 1/t mod p 



S145 



] 



li = uXti modpO =l,2,"Mi) 



.S146 



INVERSES li (i =1,2.-mi) OUTPUTTED") 



X 

( RETURN ). 



49 



EP 1 069 498 A2 



FIG. 5 
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FIG. 6 
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FIG. 7 
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